I'm trying to build a standard inside/dmz/outside configuration with an ASA 5510 (running 8.3) to support testing an MS Exchange server 2010, where the hub role is on a box on the inside network (10.0.20.40) and the edge role is on a server in the dmz (192.168.200.53).
My difficulties are as follows:
1) All traffic seems to be blocked between dmz and inside. For example, DNS (UDP 53) is not working for the mail edge server when it looks for DNS servers on the inside.
2) TCP port 50636 also needs to be open between inside and dmz for the ADAM service to work. I'm getting errors regarding an asymmetrical NAT issue denying that traffic -- perhaps because source and dest ports are different for this traffic?
3) Connectivity to/from the outside appears to be failing also. I do not appear to be able to connect to the http or https services of the edge server using its public IP from an outside source.
Here is my running config:
ASA Version 8.3(2) ! hostname test domain-name test.com enable password zzzzzzzzzzzzzzzzzz encrypted passwd zzzzzzzzzzzzzzz encrypted names ! interface Ethernet0/0 description Outside nameif outside security-level 0 ip address 188.8.131.52 255.255.255.240 ! interface Ethernet0/1 description DMZ nameif dmz security-level 10 ip address 192.168.200.1 255.255.255.0 ! interface Ethernet0/2 description Inside nameif inside security-level 100 ip address 10.0.20.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! boot system disk0:/asa832-k8.bin ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 184.108.40.206 name-server 220.127.116.11 domain-name test.com object network NAT_inside-dmz subnet 10.0.20.0 255.255.255.0 description NAT between inside and dmz object network NAT_publicmail-inside host 192.168.200.53 description NAT for public mail IP object network staticPAT host 192.168.200.53 description Static PAT for dmz mail server object network Mail-public-NAT host 192.168.200.53 description Static NAT between mail edge server in dmz and outside object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service ADAM tcp description LDAP over SSL for ADAM port-object eq 50636 access-list outside_access_in extended permit tcp any host 18.104.22.168 object-group DM_INLINE_TCP_1 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.200.0 255.255.255.0 interface inside pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu dmz 1500 mtu inside 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any dmz icmp permit any inside asdm image disk0:/asdm-633.bin no asdm history enable arp timeout 14400 ! object network NAT_inside-dmz nat (inside,dmz) static 10.0.20.0 object network NAT_publicmail-inside nat (dmz,inside) static 22.214.171.124 object network Mail-public-NAT nat (dmz,outside) static 126.96.36.199 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 188.8.131.52 5 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.200.0 255.255.255.0 dmz ssh timeout 15 console timeout 15 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username person1 password zzzzzzzzzzzzzzzzzzzzz encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email email@example.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:6cd3f694c203d8834db45741fe3147b5 : end
Any help to clear up some of these issues and steer me in the right direction would be vey gratefully received.
Are you sure you want to translate addresses for communication between the inside network and the DMZ? Since they are both private networks, you don't necessarily need to configure any NAT between these interfaces (there is no 'nat-control' in ASA 8.3 like there was in previous versions). The hosts should be able to communicate using their internal/private addresses just fine.
You would also need to configure an access-list in the inbound direction on the DMZ interface if the server in the DMZ will initiate any of these connections, such as:
access-list dmz_access_in permit ip host 192.168.200.53 host 10.0.20.40
access-group dmz_access_in in interface dmz
As for problem #3, this is caused by an incorrect ACL entry. In ASA 8.3, you need to use the real/local IP address in the access-list rather than the mapped/global IP like you would do in pre-8.3 configs. Your ACL should look like this:
access-list outside_access_in extended permit tcp any host 192.168.200.53 object-group DM_INLINE_TCP_1
Thanks for your assistance, Mike. Your suggestions helped somewhat, though I still found that i had no communication between inside and dmz until I reinstated a static NAT between them (no IP translation, just a NAT rule).
I've still to iron out some other bits and pieces, but I'm certainly closer, and I thank you for helping me with that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :